Skip to content

Commit

Permalink
Merge pull request #17009 from jim-minter/issue16654
Browse files Browse the repository at this point in the history
Automatic merge from submit-queue (batch tested with PRs 17007, 17003, 17001, 17009).

wait for group cache in templateinstance tests

fixes #16654

(builds on #16979)

@gabemontero fyi
  • Loading branch information
openshift-merge-robot authored Oct 23, 2017
2 parents 01f2147 + 9d8b6be commit 05d2e14
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 65 deletions.
121 changes: 81 additions & 40 deletions test/extended/templates/templateinstance_impersonation.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
package templates

import (
"time"

g "github.com/onsi/ginkgo"
o "github.com/onsi/gomega"

kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/wait"
kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/client/retry"

Expand Down Expand Up @@ -53,17 +56,91 @@ var _ = g.Describe("[Conformance][templates] templateinstance impersonation test
)

g.BeforeEach(func() {
var err error

adminuser = createUser(cli, "adminuser", bootstrappolicy.AdminRoleName)
impersonateuser = createUser(cli, "impersonateuser", bootstrappolicy.EditRoleName)
impersonatebygroupuser = createUser(cli, "impersonatebygroupuser", bootstrappolicy.EditRoleName)
impersonategroup = createGroup(cli, "impersonategroup", bootstrappolicy.EditRoleName)
addUserToGroup(cli, impersonatebygroupuser.Name, impersonategroup.Name)
edituser1 = createUser(cli, "edituser1", bootstrappolicy.EditRoleName)
edituser2 = createUser(cli, "edituser2", bootstrappolicy.EditRoleName)
viewuser = createUser(cli, "viewuser", bootstrappolicy.ViewRoleName)

impersonategroup = createGroup(cli, "impersonategroup", bootstrappolicy.EditRoleName)
addUserToGroup(cli, impersonatebygroupuser.Name, impersonategroup.Name)

// additional plumbing to enable impersonateuser to impersonate edituser1
role, err := cli.AdminAuthorizationClient().Authorization().Roles(cli.Namespace()).Create(&authorizationapi.Role{
ObjectMeta: metav1.ObjectMeta{
Name: "impersonater",
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("assign"),
APIGroups: []string{templateapi.GroupName},
Resources: sets.NewString("templateinstances"),
},
},
})
o.Expect(err).NotTo(o.HaveOccurred())

_, err = cli.AdminAuthorizationClient().Authorization().RoleBindings(cli.Namespace()).Create(&authorizationapi.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "impersonater-binding",
},
RoleRef: kapi.ObjectReference{
Name: role.Name,
Namespace: cli.Namespace(),
},
Subjects: []kapi.ObjectReference{
{
Kind: authorizationapi.UserKind,
Name: impersonateuser.Name,
},
{
Kind: authorizationapi.GroupKind,
Name: impersonategroup.Name,
},
},
})
o.Expect(err).NotTo(o.HaveOccurred())

// I think we get flakes when the group cache hasn't yet noticed the
// new group membership made above. Wait until all it looks like
// all the users above have access to the namespace as expected.
err = wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
for _, user := range []*userapi.User{adminuser, impersonateuser, impersonatebygroupuser, edituser1, edituser2, viewuser} {
cli.ChangeUser(user.Name)
sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{
Verb: "get",
Resource: "pods",
},
})
if err != nil {
return false, err
}
if !sar.Allowed {
return false, nil
}
}

cli.ChangeUser(impersonatebygroupuser.Name)
sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{
Verb: "assign",
Group: templateapi.GroupName,
Resource: "templateinstances",
},
})
if err != nil {
return false, err
}
if !sar.Allowed {
return false, nil
}

return true, nil
})
o.Expect(err).NotTo(o.HaveOccurred())

dummytemplateinstance = &templateapi.TemplateInstance{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
Expand Down Expand Up @@ -141,42 +218,6 @@ var _ = g.Describe("[Conformance][templates] templateinstance impersonation test
hasUpdateStatusPermission: false,
},
}

// additional plumbing to enable impersonateuser to impersonate edituser1
role, err := cli.AdminAuthorizationClient().Authorization().Roles(cli.Namespace()).Create(&authorizationapi.Role{
ObjectMeta: metav1.ObjectMeta{
Name: "impersonater",
},
Rules: []authorizationapi.PolicyRule{
{
Verbs: sets.NewString("assign"),
APIGroups: []string{templateapi.GroupName},
Resources: sets.NewString("templateinstances"),
},
},
})
o.Expect(err).NotTo(o.HaveOccurred())

_, err = cli.AdminAuthorizationClient().Authorization().RoleBindings(cli.Namespace()).Create(&authorizationapi.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: "impersonater-binding",
},
RoleRef: kapi.ObjectReference{
Name: role.Name,
Namespace: cli.Namespace(),
},
Subjects: []kapi.ObjectReference{
{
Kind: authorizationapi.UserKind,
Name: impersonateuser.Name,
},
{
Kind: authorizationapi.GroupKind,
Name: impersonategroup.Name,
},
},
})
o.Expect(err).NotTo(o.HaveOccurred())
})

g.AfterEach(func() {
Expand Down
46 changes: 21 additions & 25 deletions test/extended/templates/templateinstance_security.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,32 +77,28 @@ var _ = g.Describe("[Conformance][templates] templateinstance security tests", f
editgroup = createGroup(cli, "editgroup", bootstrappolicy.EditRoleName)
addUserToGroup(cli, editbygroupuser.Name, editgroup.Name)

/*
// jminter: commenting this out for now in case it turns out to be superstition
// I think we get flakes when the group cache hasn't yet noticed the
// new group membership made above. Wait until all it looks like
// all the users above have access to the namespace as expected.
err := wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
for _, user := range []*userapi.User{adminuser, edituser, editbygroupuser} {
cli.ChangeUser(user.Name)
sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{
Verb: "get",
Resource: "pods",
},
})
if err != nil {
return false, err
}
if !sar.Allowed {
return false, nil
}
// I think we get flakes when the group cache hasn't yet noticed the
// new group membership made above. Wait until all it looks like
// all the users above have access to the namespace as expected.
err := wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
for _, user := range []*userapi.User{adminuser, edituser, editbygroupuser} {
cli.ChangeUser(user.Name)
sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
Action: authorizationapi.Action{
Verb: "get",
Resource: "pods",
},
})
if err != nil {
return false, err
}
return true, nil
})
o.Expect(err).NotTo(o.HaveOccurred())
*/
if !sar.Allowed {
return false, nil
}
}
return true, nil
})
o.Expect(err).NotTo(o.HaveOccurred())
})

g.AfterEach(func() {
Expand Down

0 comments on commit 05d2e14

Please sign in to comment.